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CENmigOcteKlTER 

In the Claims SEP 1 4 2007 

1 . (Cuirently Amended) A method for maintaining data security comprising: 

cteating a package associated with a vault, the package comprising data bundled together 
with one or more permissions for regulating use of the data, the one or more permissions comprising 
one or more usage rule sets; and 

providing a receiver for processing the package and storing the data in the vault, 
the vault being dedicated hard drive space whose existence and contents are invisible to a user^ 
wherein the existence and contents of the hard drive space are invisible to the user by ^ nment 
of false file names and locations as seen by the user , 

2. (Original) A method according to claim 1, v^erein the step of processing the package further 

i 

comprises opening the package and verifying the receiver for processing of the package. 

3 . (Original) A method according to claim 2 further comprismg searching for at least one driver for 
reading the package. 

4. (Original) A method according to claim 1 further comprising detecting violation of said one or 
more permissions, 

5. (Qrigmal) A method according to claim 4 wherein the step of providing a receiver further 
comprises providing internal secxirity^ 

6. (Original) A method according to claim 5, wherein the internal security comprises creiting atag 
file corresponding to the data and mapping the tag file against the data in a virtual table, with the 
virtual table including an actual file name of the data and a corresponding tag name for the tag file, 
wherein the virtual table and the data are stored in the vault 

7. (Original) A method according to claim 5, wherein the step of providing internal security 
comprises identifying an anchor address corresponding to an original location for at least one of the 
vault, a driver used for reading of the package and a database storing the permissions, combining the 

PHILl\38401S4.1 . 2 

. PAGE 3f39 • RCVD AT 9/14/2007 9:39:56 AM (Eastern Daylight T\me] " SVR:USPT0-EFXRF-1/4 • DNIS:2738300 \CS1D: • DURATION (mm-ss):22-26 



=.SEP. 14. 2007 9:41AM 



NO. 3296 • P. 4 



addresses together to provide a key for regulating system operation and identifying when the key will 
not operate. 

8. (Original) A method according to claim 5, wberein step of creating a package further comprises 
an executable for verifying the operation of the receiver y/hm the package is opened. 

9. (Original) A method according to claim 5, wherein the internal security comprises the monitoring 
of a registry comprising: 

requesting a handle for a registry key to a calling process; requesting a registry key value for 
the handle; and obtaining security clearance to complete the requests. 

1 0. (Original) The method of claim 9 further comprising after requesting a handle for a registry key 
to a calling process: 

determining a process ID and registry key; determining whether the process is secured by 

checking a secured process list; 

if the process is secured, determining \^ether the registry key is on a rejection list 

if the registry key is on the rejection list, denying the process access to the registry key; and 

if the process is not on the secured list or if the registry key name is not on the rejection list, 

completing the request 

1 1 . (Original) The method of claim 9 further comprising after requesting a regisrtry key value for the 
handle: 

deterniining a process ID and registry key value; 

determining whether the process is secured by checking the secured process list; 
if the im)cess is secured, determining whether the registry key is on the rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key value; 
if the process is not on the secured list, completing the request; 

if the registry key is not on the rejection list and the process is on the secured process list, 
processing the value request and determining whether the value is on the rejection list; 
if the value is not on the rejection list allowing the request to be completed; and 
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if the value is on the rejection list denying access to the registry key value, 

12. (Original) The method of claim 9 further comprising after modifying and deleting handles and 
values: 

determining a process ID; 

determhung whether the process is secured by checking M*ether the process is on the secured 
process list; 

if the process is not ori the secured process list, completing the request; and 

if the process is on the secured process list, not allowing the request to be completed. 

13. (Original) A method according to claim 5, wherein the step of providing internal security 
comprises a method for monitoring shared memory comprising: 

providing a call to reserve a memory page for a requesting process; 

filtering the reserve call accordmg to whether the page can be shared; 

providing a call to commit the memory page for the requesting process or for a subsequent 
requesting process; and 

filtering the commit call according to whether the page can be shared and Whether the process 
can be secured. 

14. (Original) The method of claim 13 vAerein filtering the reserve, call comprises: 

determining whether the page can be shared based on request parameters; 
if the page cannot be shared, allowing the request to be completed; and 
if the page can be shared, tracking the reserve call by creating a record and entering the record, 
into a shared memory list 

15. (Origmal) The method of claim 14 wherein the record uicludes a process E), page number and 
share count 

16. (Original) The method of claim 13 wherein filtering the commit call comprises: 

determining, by accessing a shared memory list, if the page is shared by another process; 
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if the page is shared, detennitiiiig whether either of the shslring processes are secured by 
accessing a secured process list; 

if either process is secured, disallowing page sharing; 

if both processes are not secured, creating a new shared memoiy record, iqxiating the share 
count for processes sharing the page and updating the shared memoiy Ust with inforniation contained 
in the new record; and 

if the page is not shared, completing the commit request. 

17. (Original) The method of claim 16 wherein the record includes a process ID, page number and 
share count. 

18. (Original) The method of claim 13 further comprising: 

providing a call to free the memory page of all address spaces; 

determining whether the process is secured by checking a secured process list; 

if the process is secured, overwriting the page to delete secured data, and deleting all records 
in the shared memory list with a page number the same as the overwritten page; and 

if the process is not secured deleting all records from a shared memory list witii a page 
nxmiber corresponding to the imsecured process page. 

1 9. (Original) A method according to claim 5 wherein the step of providing internal security fiiither 
comprises: 

a vault provision step of providing a vault system for segregating vault data from other 
system data; and 

a file system security driver provision step of providing a file syst^ security driver which 
mtercepts file system calls, and for each specific one of said intercepted file system calls, determines 
whether said specific one of said mtercepted file system calls is from aprocess accessing said vault 
data, and, if said specific one of said intercepted file system calls is from a process accessing said 
vault data, permitting the file system caU to create or modify data only within said vault system. 
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20. (Original) The method of claim 1 9, where said file system security driver provision step furflier 
comprises a file open handling step of, for each specific one of said intercepted file system calls 
which is a file open call, comprismg the steps of : 

determining whether said file open call is a request for data from among said vault data; and 
if said file open call is a request for data from among said vault data, performing a check on 
process making said request to see if said process is aheady a secured process vAdch has previously 
opened said data from among said vault data, and if so, allowing access to said vault data, and 
performing an access check on process making said request, and then processing the request by 
allowing access to said process which is not already a secured process if said access check is passed 
but not allowing access at all if said access check is not passed; 

if said file open call is not a request for data from among said vault data, performing a check 
on said process making said request to see if said process is already a secured process, and passing 
the request onto an operating system if said process making said request is not a secured process, 
and, if said process making said request is a secured process, det^rmiiiing if file referred to in said 
file open call exists, and if it does, opening said file for read only, and if it does not, creating said file 
in said vault data. ^ 

21 . (Original) The method of claim 20, wherein said processing the request by allowing access to 
said process which had not previously been granted access to said vault data comprises the step of: 

querying user to determine if said user would like to open said data from among said vault 
data, and opening said data fi:om among said vault data only if said user would like to open said data. 

22. (Original) The method of claim 21 , vdierein said processing flie request by allowing access to 
said process which had not previously been granted access to said vault data comprises the step of: 

recording said allowed access and monitoring total accesses allowed. 

23. (Original) The method of claim 20, v^erein said processing the request by allov^ access to 
said process which had not previously been granted access to said vault data comprises the step 
recording said process which had not previously been granted access to said vault data making said 
request in a list of processes allowed to access said vault data. 
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24. (Original) The method of claim 20, wherein said step of creating said file in said vault data 
comprises the step of : 

sending said secured process a stand-in file handle; creating a corresponding vault file 
handle; and storing said stand-in file handle and said corresponding vault file handle. 

25. (Original) The method of claim 20, wherein said step of openmg said file for read only 
comprises the steps modifying any file request flags of said file open call which indicating 
modification of the file is permitted; and passing said modified file open caU to said operating 
system. 

26. (Original) The method of claim 19, wherem said file system security driver provision step 
fijrther comprises afile request handling step of, for each specific one of said intercepted file system 
calls which is a file read/write call, comprising the steps of : 

determining whether said read'writereqiiestis arequest for data fi:om among said vault data; 

if said read/write request is a request for data firom among said vault data, allowing access if 
process tnakmg said request is allowed to access said vault data; and 

if saidread/write request is arequest for data not fixm among said vault data, allowing access 
if said process making said request is not allowed to access said vault data, and allowing access if 
said read/write request is a read request 

27. (Original) The method of claim 19, wherein said file system security driver provision step 
further comprises a file information request step, comprising the step of: 

determining whether said file information request is a request regarding data from among 
said vault data, and if not, passmg said file mformation request to said operating system, and if so, 
discerning correct file size and returning said correct file size. 

28. (Original) The method of claim 19, wherein said file system security driver provision step 
further comprises a file change request step, comprising the step of: 
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determining whether said file change request is a request regarding data from among said 
vault data, and if so performing said file change req\iest on said vault data, and if not, checking to see 
if the requesting process is a seemed process, and if not, passing said file change request to said 
operating system, and if so, blocking the request 

29. (Original) The method of claim 19, wherein said file system security driver provision step 
further comprises: 

a file open handling step of, for each specific one of said intercepted file system calls which 
is a file open call, comprising the steps determining whether said file open call is a request for data 
from among said vault data; add 

if said file open call is a request for data firom among said vault data, performing a check on 
process making said request to see if said process is abeady a secured process which has previously 
opened said data fix)m among said vault data, and if so, allowing access to said vault data, and 
performing an access check on process makmg said request, and then processing the request by 
allowmg access to said process which is not already a secured process if said access check is passed 
but not allowing access at- all if said access check is not passed; 

if said file open call is not a request for data firom among said vauh data, performing a check 
on said process makmg said request to see if said process is already a secured process, and passing 
the request onto an operating system if said process making said request is not a secured process, 
and, if said process making said request is a secured process, determining if file referred to in said 
file open call exists, and if it does, opening said file for read only, and if it does not, creating said file 
in said vault data; 

a file read/write request handling step of, for each specific one of said intercepted file system 
calls which is a file read/write call, comprising the steps of : 

determming whether said read/write request is a request for data ftom among said 

vault data; 

if said request is a request for data from among said vault data, allowing access if 
process making said request is allowed to access said vault data; and 
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if said request is a request for data not from among said vault data, allowing access if 
said process making said request is not allowed to access said vault data, and allowing access 
if said read/write request is a read request; 
a file information request step, comprising the step of : 

determining v\4iether said file information request is a request regarding data &om 
among said vault data, and if not, passing said file infomiation request to said operating 
system, and if so, discerning correct file size and returning said correct file size; 
and 

a file change request step, comprising the steps determining whether said file change 
request is a request regarding data from among said vault data, and if so performing said file 
change request on said vault data, and if not, checking to see if the requesting process is a 
secured process, and if not, passing said file change request to said opemting system, and if 
so, blocking the request. 

30. (Original) A mefliod according to claim 5, wherein the step of providing internal security fiirftier 
comprises monitoring a system clock of a computer to prevent imauthorized access to data 
comprising the steps of: 

initiali2ing a clock monitor comprising the steps of: 

reading a first time value fix)m the system clock; determining A^liether a permissions 
database having one or more clock-related permission field each field comprising one or 
more clock-related permissions, and a stored time value field comprising a stored time value, 
. is initialized on the computer system; 

if the permissions database is initialized, comparmg the first time value to the stored 
time value and, if the first time value is later tiian the stored time value, storing the first time 
value in the stored time value field, if the first time value is earlier than the stored time value, 
disabling the one or more clock-related permissions, whereby disabling the clock-related 
permissions prevents access to the data; and 

if the permissions database is not initialized, storing tiie fust time value in the stored 
time value field. 
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31. (Original) The method of claim 30 wherein the step of determining whether the permissions 
database is initialiTied comprises the step of: 

reading the stored time value from the stored time value field in the permissions database, 
and if the stored value is zero, concluding that the permissions database is not initialized, and if the 
stored time value field is other than zero, concluding that the permissions database is mitialized^ 

32. (Origmal) The method of claim 30 fiirther comprising the steps of : 

tracking a true system time, which is the stored time value plus an mtemal elapsed time 
measured firom initialization of the clock monitor; 

after a predetermined tracking interval, reading a second time value fi»m the system clock; 
comparing the second time value wilh the true system time and generating a time deviation 

based on the comparison; 

if the time deviation is not wilhm an acceptable deviation, disabling the one or more clock- 

relat^ permissions; 

if the time deviation is within the acceptable deviation, enforcing the clock-related 
permissions ; and 

storing the true system time, 

33. (Original) The method of claim 32, after the step of if the time deviation is not within an 
acceptable deviation, disabling one or more clock-related permissions, further comprising the steps 
of: 

reading a third time value fit)m the system clock; 
comparing the third time value with the interaal elapsed time; 
generating a second time deviation based on the comparison; and 

if the second time deviation is within the acceptable deviation, reenabling the clock-related 
permissions, storing the true system time in the stored time value field, and storing the third time 
value a last known good system time value field in the permissions database. 

34. (Original) The method of claim 32 wherein the predetermined tracking interval is substantially 
ill the range of zero seconds to sixty seconds. 
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3 5. (Original) The metiiod of claim 32 wherein the accepted deviation is substantiany in the range ,of 
zero seconds to three hours. 

36. (Original) The method of claim 30 further comprising the steps of: 

tracking a true system time, which is the stored time value plus a true system time measured 
from initialization pf the clock monitor; 

reading a second time value from the system clock; 

comparing the second thne value Svith the true system time and generatmg atime deviation 

based on the comparison; and 

if the time deviation is within an acceptable deviation, storing the second time value in the 

stored time value field. 

37. (Qrigmal) The method of claim 36 fiirther conqjrising the step of powermg down the computer. 

38. (Original) Themethodof claim 36 wherein the accepteddeviationissubstantiallyintherange of 
zero seconds to three hours. 

39. (Original) The method of claim 30 wherein the clock-telated permissions comprise date-related 
permissions. 

40. (Original) A method according to claim 5 for providing data security in a first device driver 
operably installed in a computer operating system having a layered pluraUty of device drivers for 
accessing data m a data storage device, the method comprising the steps of : 

detecting an I/O request to said first device driver, 

determming whether said first device driver is fijnctionallyuppemiost in ihe layered pluraUty 
of device drivers; 

if said first device driver is functionally uppermost in the layered plurality of device drivers, 
performing flie I/O request in said first device driver; and 
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if said first device driver is not fimcjtionally uppennost in the layered plurality of device 
drivers, denying the I/O request in said first device driver, and allowing the I/O request to be 
performed by a next lower-level device driver in the layered plurality of device drivers. 

41 . (Original) The method of claim 40 wherein said first device driver is a file system monitor, 

42. (Original) The methodof claim 40 \y1ierein the data is stored in a secure vurtual file system, and 
wherein the step of performing the I/O request further comprises the step of implemoiting data 
security measures. 

43. (Original) Themethod of claim 40 wherein the data is stored in encrypted form, and wherein the 
step of perfornung the I/O request further comprises the step of decrypting the data. 

44. (Original) The method of claim 40 wherein the step of pCTforming the I/O request fiirther 
comprises the step of checking the data for viruses. 

45. (Original)''The method of clakn 40 wherein the step of determining whether said first device 
driver is functionally uppermost in the layered plurality of device drivers furthw comprises the steps 
of: 

determining vstether said first device driver has been previously cdled; 

if said first device driver has not been previously called, detecting an initial calling module 
address, storing said mitial calling module address, and concludmg that said first device driver is 
fimctionally uppermost in the layered plurality of device drivers; 

if said first device driver has been previously called, detecting a second calling module 
address, comparing said second calling module address to the initial calUng module address, and 
concluding that said first device driver is functionally uppermost in the layered plurality of device 
drivers only if the initial calling module address matches the second calling module address. 

46. (Original) Themethodof claim 40 wherein the step of denying the I/O request in the secure first 
device driver comprises the steps of: 
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setting a first device driver ^utdowti flag; and 
initiating a re-hook process. 

47. (Ori^nal) The method of claim 40 further comprising, after the step of detecting an I/O request 

to said first device driver, the steps of: 

checldng whether a first device driver shutdown flag is set; and 

if said first device driver diutdown flag is set, omitting furttier steps hi said first device 
driver, and allowing the I/O request to be perfonned by a next lower-level device driver in the 
layered plurality of device drivers. 

48. (Original) The method of claim 47 wherein the step of initiating a re-hook process further 

comprises the steps of: 

counting the number of times the re-hook process has been initiated; 

checking wheflier the number of times has reached a predetermined maximum tiueshold; 

if the number of times has reached a predetermined maximum thresdioldi initiating a 
programmable security response; 

if the number of times has not reached a predetermiiied 
attachment of said first device driver functionally uppennost in the layered plurality of device 

drivers; ^ 

if said first device driver has been it»ttached functicmally uppermost in the layered plurality 
of device drivers, unsetting said first device driver shutdown flag; and concluding the re-hook 
process, 

49. (Original) The method of claim 48 wherein the programmable security response comprises llie 
step of destroying the data. 

50. (Original) The method of claim 48 vAerein Hie data is stored in a secure virtual file system, and 
^ereui the step of destroying the data fiirther comprises the step of destroying the secure virtual file 
system. 
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5 1 . (Original) The method of claim 48 wherein the programmable security response comprises the 
step of terminating open applications. / 

52. (Original) The method of claim 48 wherein the programmable security response comprises the 
step of destroying said first device driver on the data storage device. 

53 . (Original) The method of claim 48 wherein the programmable security response comprises the 
step of halting the operation of the computer. 

54. (Original) The method of claim 48 vdierein the programmable security response comprises the 
step of causing the computer to enter a state requiring reboot 

55. (Original) A method according to claim 1 further comprising: 

a port request detection step of detecting a port request for use of a port sent by a process; 

a process identification step of determining the identity of said requesting process; 

a process check step of determining if said process should be permitted to access said port; 

and 

a permit/deny step of allowing said port reqxiest to be fulfilled if said process should be 
permitted to access said port and denying said port request if said process should not be permitted to 
access said port. 

56. (Original) The method of claim 55 wherein said process check step comprises: a secure process 
list check step of determining whether said process appears on a list of secure processes. 

57. (Original) The method of claim 55 further comprising: 
a tracking step of tracking said port reqxiest. 

58. (Original) A method according to claim 5, wherein the step of providing internal security further 
comprises: 

a port request detection step of detecting a port request for use of a port sent by a process; 
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an open port process identification step of, if said port request is an open port request, 
deterniining the identity of said requesting process; 

an open port process check step of, if said port request is an open port request, determihing if 
said process should be permitted to open said port; 

an open port pramt/deny step of, if said port request is an open port request, allowing said 
open port lequest to be fiilfiUed and tracking said open port request if said process should be 
permitted to open said port and denying said port request if said process should not be permitted to 
open said port; 

a close port process completioh step of, if said port request is a close port request, completing 
said port request; and 

a close port logging step of logging the closing of said port. 

59. (Original) The method according to claim 58 where said open port process check step 
comprises: 

a secure process list check step of determining whether said process appears on a list of 
secure processes. 

60, (Original) The method according to claim 58 where said tracking of said open port request 
comprises keeping a log of process ID and returned port handle for said open port request, and said 
close port logging step of tracking the closing of said port comprises removii^ from said log said 
record of process ID and returned port handle for that port close request. 

6L (Original) The method according to claim 60 further comprising: 

a security check step comprising the steps of checking whether a process has open ports, and 
denying security clearance for a process with open ports, and allowing security clearance for a 
process with no open ports. 

62. (Origmal) The method according to claim 61 wherein said open port process check step of 
comprises determining if said process identity appears on a secured process list, and \^ere said step 
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of allowing security clearance for a process with no open ports comprises the step of placing said 
process on said secured process list. 

63 . (Original) A method according to claim 5 , wherein the step of providing intemd security further 
comprises; 

a network request detection step of detecting a network request for use of a network sent by a 
process; 

a process identification step of determining the identity of said requesting process; 
a process check step of determining if said process should be permitted to access said 
network; and 

a step of allowing said network request to be fulfilled if said process should be permitted to 
access said network and denying said network request if said process should not be permitted to 
access said networL 

64. (Original) The method according to claim 63 wherein said process che6k step comprises: a 
secure procesis list check step of detertmning vAefher said process appears on a list of secure 
processes. 

65. (Original) The method according to claim 64, vrfierem said network requests interface is the 
Transport Data Interface. 

66. (Original) A method according to claim 1, wherein the step of creating a package comprises: 

receiving a file of data for packaging; receiving a permissions database having one or more 
permissions associated with the file of data, the one or more pennissions governing a climt's use of 
the file; 

generating a package ^obal unique identifier, generating a package of data comprising the 
file, the one or more permissions and the global unique identifier; encrypting the package; and 
generating a computer executable file comprising the encrypted package. 
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67. (Original) The method of claim 66 wherein the one or more permissions are selected from the 
group consisting an access count permission, an access time permissibn, an expiration date 
permission, an authorization date permission, a clipboard permission, a print permission, an 
unlimited access permission, an application permission, and a system-events permission. 

68. (Original) The method of claim 67 further comprising the step of setting a password for access 
to the computer executable jBle. 

69. (Original) The method of claim 68 wherein the package of data further comprises a recipient 
global unique identifier and further comprising the step of receiving the recipient global unique 
identifier after the step of generating a package global unique identifier. 

70. (Original) The method of claim 69 \^erein the package of data further comprises a client 
software. 

71. (Original) A method according to claim 1 fttrther comprising: 

receiving a file of data for packaging; 

receiving a package permissions database having one or more permissions associated with the 
file of data, the one or more permissions governing a clients use of the file; 
generating a package global mique identifier, 

generating a package of data comprising the file of data, the one or more permissions, the 
global unique identifier, and a client software; 
encrypting the package; 

generating a computer executable file comprising the encrypted package; 
receiving the computer executable file at a client computer system having an operating 
system; 

executing the computer executable file at the client computer system comprising the steps 
determining whether the operating system is a compatible operating system, and if so, executing a 
client software on the client computer system, the execution of the client software creating a client 
permissions database and a vault on the client computer system; and 
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deteraiining whether the encrypted package is valid, and if so, recording the package global 
unique identifier in the client permissions database, extracting the file of data and the one or more 
permissions from the package of data, storing the file of data in the vault and storing the one or more 
permissions in the client permissions database, and if not, setting a state in the computer executable 
file to indicate that the package is installed, 

72. (Original) The method of claim 7 1 further conriprising the step of determining whether a second 
package is loaded on the computer system, and if so, terminating the second package, before the step 
of executing a client software on the client computer system. 

73. (Original) The method of claim 72 wherein the step of determining whether the package is valid 
comprises the steps of searchkig the client permissions database for the package global unique 
identifier and, concluding that the package is valid if the package global unique identifier is not in 
the client permissions database, and concluding that the package is invalid if the package global 
unique identifier is not in the client permissions database. 

74. (Original) The method of claim 73 wherein the package further comprises the client software 
having a version designation and, before the step of executing the client software, determiiiing 
whether a second version of the client software is installed on the client computer system, and if not, '' 
extracting the client software from tine ^package and installing the client software on tiie client 
computer system. 

75. (Original) The method of claim 74 wherein if a second version of the client software is installed 
on the client computer system, determining whether the version designation of the client software 
installed on the client computer system is earlier than the second version, and if so, extracting the 
client software from the package and installing the client software on the client computer system. 

76. (Original) The method of claim 74 vAerein the client software comprises one or more device 
drivers and the client permissions database arid the vault are generated by at least one of the one or 
more device driver. 
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77. (Original) The method of claim 71 wherein the client software comprises one or more device 
drivers and the client permissions database and the vault are generated by at least one of the one or 
more device driver, 

78. (Original) The method of claim 71 wherein the package further comprises a receiver global 

^ unique identifier, and wherein the step of determining whether the encrypted package is valid . 

comprises the steps of searching the client permissions database for a second receiver global unique 

identifier, and if not found, concluding that the package is invalid, and if found, comparing the 
' receiver global tmique identifier to the second receiver global unique identifier, determining whettier 

they match, and if so, concluding that the package is valid, and if not, concluding that the package is 

invalid. 

79. (Original) The method of claim 71 wherein the one or more permissions arc selected from the 
group consisting an access count permission, an access time permission, an expiration date 
permission, an authorization date permission, a clipboard permission, a print pOTnission, an 
unlimited access permission, an application permission, and a system-events permission. 

80. (Original) The method of claim 71 v^iierein the computer executable file is password protected 

81. (Original) A method according to claim 5, wherein the step of providing internal security 
comprises: 

detecting a file system request; completing said file system request; 
receiving return information from said file system request; 

determining whether said file system request is for a tag file associated with a secured file; 

and 

if so, modifying said return information to reflect a file attribute of the secured file. 

82. (Original) The mettiod of claim 81 v^erein said file attribute is file size. 
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83 . (Original) The method of claim 8 1 wherein the step of determining fijrther comprises the steps 

of : . 

determining whether said return information identifies a plurality of tag files associated with 
a plurality of secured files; and 

if so, modifymg said return information to reflect a file attribute of the plurality of secured 

files. 

84* (Original) The method of claim 8 1 wherein the secured file is stored in encrypted form. 

85. (Original) The method of claim 81 wherein the secured file is stored in a secure virtual fde 
system, 

86. (Original) The method of claim 81 wherein the secured file is stored on a remote networked 
device. 

87. (Original) The method of claim 81 wherein the file system request is to open a file. 

88. (Original) The method of claim 81 wherein the file system request is to delete a file. 

89. (Original) The method of claim 8 1 wherein^the file system request is to rename a file. ^ 

90. (Original) The method of claim 8 1 wherein the file system request is to query file information. 

9 1 . (Original) The method of claim 83 wherein the file system request is to set file informatioiL 

92. (Original) The method of claim 83 wherein the file system request is to find a first matching file. 
93 (Original) The method of claim 83 wherein the file system request is to find a next matching file. 
94. (Original) The method of claim 83 wherein the file system request is directory control. 
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95. (Currently Amended) A system for maintaining data security comprising: 

a receiver for processing a package associated with a vault, the package comprising data 
bundled together with one or more permissions for regulating use of the data, the one or more 
permissions comprising one or more usage rule sets; and 

tiie vault located within the receiver for storing the data, the vault being dedicated hard drive 
space whose existence and contents are invisible to a user, wherein the existence an4 contents of the 
hard drive space are invisible to the user bv an assignment of false file names and Ipcatiop? a? seen 
bv the user , 

96. (Original) A system according to claim 95 further comprising internd 
data stored in the vault. 

97. (Original) A system according to claim 96, vy^erein ttie internal security further detects violation 
of said one or more permissions. 

98. (Original) A system according to claim 97, wherein the internal security comprises a tag file 
corresponding to the data, and a virtual table mapping the tag file against the data by using an actual 
file name for the data and a tag name for the tag file, wherein the virtual table and data are stored in 
the vault 

99. (Original) A system according to claim 97, wherein the internal security comprises an anchor 
address corresponding to an original location for at least one of the vault, a driver used for reading of 
the package and a database storing the permissions, combining the addresses together to provide a 
key for regulating system operation and identifying when the key will not operate. 

100. (Original) A system according to 97, wherein the internal security further comprises a registry 
monitoring system comprising: 

a handle for a registry key to a calling process; 
a registry key value for the handle; 
a process ID and registry key; 

PH1H\SS401»4,I 21 
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security clearance to complete the requests; 
wherein the process is secured by checking a secured process list; 
if the process is secured, determining whether the registry key is on a rejection list; 
if the registry key is on the rejection list, denying the process access to the registry key; and 
if the process is not on the secured Ust or if the registry key name is not on the rejection list, 
completing the request 

101. (Origuaal) A system according to claim 97, wherein the internal security comprises a shared 
memory system comprising : 

a call to reserve a memory page for a requesting process; 
the reserve call filtered according to whether the page can be shared; 
a call to commit the memory page for the requesting process or for a subsequent process; 
the commit call filtered according to whether the page can be shared and whether the process 
can be secured. 

102. (Original) A system according to claim 97 v^4ierein the internal security further comprises: 

a vault system for segregating vault data fix)m other system data; and 
a file system security driver which intercq)ts file system calls, and for each specific one of 
said intercepted file system calls, determining whether said specific one of said intercepted file 
system calls is fipom a process accessing said vault data, and, if said specific one of said intercepted 
file system calls is fi-om a process accessing said vault data, permitting the file system call to create 
or modify data only within said vault system* 

103. (Original) A system according to claim 97, wherein the internal security fiirther comprises a 
system for monitoring a system clock of a computer to prevent unauthorized access to data 
comprising: 

reading a first time value from the system clock; 

determining whether a permissions database having one or more clock-related permission 
field each field comprising one or more clock-related permissions, and a stored time value field 
comprising: 
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a stored time value, is initialized on the computer system; 

if the permissions database is initialized, comparing the first time value to the stored 
time value and, if the first time value is later than the stored time value, storing the first time 
value in the stored time value field, if the first time value is earlier than the stored time value, 
disabling the one or more clock-related permissions, whereby disabling the clock-related 
permissions prevents access to the data; and 

if the permissions database is not initialized, storing the first time value in the stored 
time value field. 

1 04. (Original) A system according to claim 97, wherein the internal security comprises: 

detecting an I/O request to said first device driver; 

determining A^diether said first device driver is fimctionally iq)permost in the layered plurality 
of device drivers; 

if said first device driver is fimctionally uppermost in the layered plurality of device drivers, 
performing the I/O request in said first device driver, and 

if said first device driver is not fimctionally uppermost in the layered plurality of device 
drivers, denying the I/O request in said first device driver, and allowing the I/O request to be 
performed by a next lower-level device driver in the layered plurality of device drivers. 

105. (Original) A system according to claim 97, wherein the internal security comprises: 

a port request detection step of detecting a port request for use of a port sent by a process; 

a process identification step of determining the identity of said requesting process; 

a process check step of determining if smd process should be permitted to access said port; 

and 

a step of allowing said port request to be fiilfiUed if said process should be permitted to 
access said port and denying said port request if said process should not be permitted to access said 
port, 

106. (Original) A system according to claim 97, wherein internal security comprises: 

a port request detection step of detecting a port request for use of a port sent by a process; 
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an open port process identification step of, if said port request is an open port request, 
determining the identity of said requesting process; 

an open port process check step of, if said port request is an open port request, determining if 
said process should be permitted to open said port; 

an open port step of, if said port request is an open port request, allo^ving said open port 
request to be fulfilled and tracking said open port request if said process should be permitted to open 
said port and denying said port request if said process should not be permitted to open said port; 

a close port process completion step of, if said port request is a close port request, conq}]eting 
said port request; and a 

close port logging step of logging the closing of said port. 

107. (Original) A system according to claim 97, wherein internal security comprises: 

a network request detection step of detecting a network request for use of a network sent by a 
process; 

a process identification step of determining tiie identity of said requesting process; 
a process check step of determining if said process should be permitted to access said 
network; and a 

step of allowing said network request to be fulfilled if said process should be permitted to 
access said network and denying said network request if said process should not be permitted to 
access said network. 

108. (Original) A system according to claim 96 comprising: 

a machine readable medium having information packaging software that generates a 
computer executable file comprising a package of information, the package of information 
comprising: 

a file of data; a permissions database having one or more permissions associated with 
the file of data; 

an encryption software; 

a network in communication with the machine readable medium; 
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a client computer system in communication with the network, the computer system 
adapted to receive the package of infonnation and execute the computer executable file, the 
computer system having a client permissions database and a vault adapted to receive the 
package of information. 

109. (Original) The system of claim 108 wherein the package of information further comprises a 
package global unique identifier, and the client computer system fiirther comprises a module of 
computer code ad^rted to read the package global unique identifier, search the client permissions 
database for the package global unique identifier, and reject the package if the package global unique 
identifier is found in the client permissions database. 

1 10. (Original) The system of claim 109 xis^erein the package of information furttier comprises a 
recipient global unique identifier, and the client computer system fiirther comprises a modxile of 
computer code adapted to read the recipient global unique identifier, search the client permissions 
database for the recipient global unique identifier, and reject the package if the recipient global 
unique identifier is not foimd in the client permissions database. 

111. (Original) The system of claim 110 wherein the one or more permissions are selected tcom the 
group consisting an access count permission, an access time permission, an expiration date 
permission, an authorization date permission, a clipboard permission^ a print permission, an 
unlimited access permission, an application permission, and a system-events permissioiL 

112. (Original) A system according to claim 97, wherein the system comprises a device driver for 
accessing data, the device driver operably installed in an opmdng system on an electronic computer, 
wherein said device driver: 

detects a file system request; completes said file system request; 
receives retum information &om said file system request; 

determines whether said file system request is for a tag file associated with a secured file; and 
if so, modifies said retum information to reflect a file attribute of the secured file. 
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113. (Origiiial) The system of claim 112 wherein said file attribute is file size. 

114. (Original) The system of claim 1 1 3 \s1ierein said device driver further determines ij^eflier s£ud 
return information identifies a plurality of tag files associated with a plurality of secured files; and if 
so, modifies said return information to reflect a file attribute of the plurality of secured files. 

115. (Original) The system of claim 114 wdierein said first device driver is a file system monitor. 

1 1 6. (Original) The system of claim 1 14 wherein the secured file is stored in encrypted form. 

117. (Original) The system of claim 1 14 wherein tbe secured file is stored in a secure virtual file 
system. 

118. (Original) The system of claim 1 14 wherein the secured file is stored on a remote networked 
device. 

119. (Original) The system of claim 114 wherein the file system request is to open a file. 

120. (Original) The system of claim 1 14 wiiecein the file system request is to delete a file. 

121. (Original) The system of claim 1 14 vsdierein the file system request is to rename a file. 

1 22. (Origiiml) The system of claim 1 1 4 wherein the file system request is to queiy file information. 

123. (Original) The system of claim 114 \^4ierein the file system request is to set file information. 

124. (Original) The system of claim 123 wherein the file system request is to find a first matching 
file. 
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125. (Original) The system of claim 123 wherein the file system request is to find a next matching 
file. 

126. (Original) The system of claim 123 wherein the file system request is directory control. 

127. (Original) A system according to 97, further comprising a port blocking system, wherein said 
port blocking system operates to detect a port request for use of a port sent by a process; detmnine 
the identity of said requesting process; determine if said process should be permitted to access said 
port; and allow said port request to be fulfilled if said process should be permitted to access said port 
and deny said port request if said process should not be permitted to access said port. 

128. (Original) A system according to 97, fijrther comprismg a network blocking system, \?rfierein 
said network blocking system operates to determine the identity of said requesting process; 
determine if said process should be permitted to access said network; and allow said network request 
to be fulfilled if said process should be permitted to access said network and deny said network 
request if said process should not be permitted to access said network. 

1 29. (Currently Amended) A computer program product for monitoring data security embodied in a 
memory medium that yjhen read out directs a system to perform at least one of; 

creating a package associated with a vault, the package comprising data bundled together 
with one or more permissions for regulating use of the data, the one or more permissions comprising 
one or more usage rule sets; and 

opening the package and stormg the data in the vault for restricted access of the data, the 
vault being dedicated hard drive space whose existence and contents are invisible to a use r, vdicrcin 
the existence and contents of the hard drive space are invisible to the user bv an assignment of false 
file names and locations as seen bv the user . 

130. (Previously Presented) A computer program product according to claim 129 further directing 
the system to detect violations of said one or more permissions. 
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131. (Previously Presented) A computer progi^ product according to claim 130 further directing 
the system to create a tag fiOie corresponding to the data in the vault and to map the tag file against the 
data in a virtual table, vvith the virtxml table stored in the vault and including an actual file name of 
the data and a corresponding tag name for the tag file* 

132. (Previously Presented) Acomputerprogramproductaccording to claim 130, fiirther directing 
the system to provide internal security including identifying an anchor address corresponding to an 
original location for at least one of the vault, a driver used for reading of the package and a database 
storing the permissions, combining the addresses together to provide a key for regulating system 
operation and identifying when the key will not operate. 

133. (Previously Presented) A computer program product according to claim 130 further directing 
the system to monitor a registry via: 

requesting a handle for a registry key to a calling process; 
requesting a registry key value for the handle; and 
obtaining security clearance to complete the requests* 

134. (Previously Presented) A computer program product according to claim 130 fiirlher directing 
the system to monitor shared memory via: 

providing a call to reserve a memory page for a requesting process; 

filtering the reserve call according to whether the page can be shared; 

providing a call to commit the memory page for the requesting process or for a subsequent 
requesting process; and 

filtering the commit call according to v^ether the page can be shared and whether the pmcess 
can be secured. 

135. (Previously Presented) A computer program product according to claim 130 further directing 
the system to: 

provide a vault system for segregating vault data tcom other system data; and 
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provide a file sysftem security driver which intercepts file system calls, and for each specific 
one of said intercepted file system calls, determines whether said specific one of said intercepted file 
system calls is tcom aprocess accessing said vault data, and, if said specific one of said intercepted 
file system calls is fi^om a process accessmg said vault data, pennittmg the file system call to create 
or modify data only within said vault system. 

1 36. (Previously Presented) A computer program product according to claim 130, further directing 
the system to monitor a system clock of a computer to prevent unauthorized access to data by: 

initializing a clock monitor via: 

reading a first time value fix>m the system clock; 

determining whether a permissions database having one or more clock-^related permission 
fields, each field comprising one or more clock-related permissions, and having a stored time value 
field comprising a stored time value, is initialized on the system; 

if the permissions database is initialized, comparing the furst time value to the stored time 
value and, if the first time value is later than the stored time value, storing the first time value in the 
stored time value field, if the first time value is earlier than the stored time value, disabling the one or 
more clock-related permissions, whereby disabling the clock-related permissions prevents access to 
the data; and 

if the permissions database is not initialized, storing the first time value in the stored time 
value field 

137. (Previously Presented) A computer program product according to claim 1 30 further directing 
the system to: 

detect an I/O request to a first device driver; 

determine whether said first device driver is fimctionally iippermost in a layered plurality of 
device drivers; 

if said first device driver is functionally uppermost in the layered plxirality of device drivers, 
perform the I/O request in said first device driver; and 
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if said first device driver is not functionally uppermost in the layered plurality of device 
drivers, deny the I/O request in said first device driver, and allow the I/O request to be performed by 
a next lower-level device driver in the layered plurality of device drivers. 

138. (Previously Presented) A computer program product according to claim 129 further directing 
the system to: 

detect a port request for use of a port sent by a process; 
determine the identity of said requesting process; 

determine if said requesting process should be permitted to access said port; and 
allow the port request if said process should be permitted to access said port and deny the 
port request if said process should not be permitted to access said port. 

139. (Previously Presented) A computer program product according to claim 130 further directing 
the system to: 

detect a port request for use of a port sent by a process; 

if said port request is an open port request, determine the identity of said requestmg process; 
if said port request is an open port request, determine if said piwess should be permitted to 
open said port; 

if said port request is an open port request, allow the open port request and track said open 
port request if said process should be permitted to open said port and deny said port request if said 
process should not be permitted to open said port; 

if said port request is a close port request, complete said port request; and 

log the closing of said port 

140. (Previously Presented) A computer program product according to claim 1 30 further directing 
the system to: 

detect a network request for use of a network sent by a process; 
determine an identity of said requesting process; 

determine if said process should be permitted to access said network; and 
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allow the network request if said process should be permitted to access said network and 
deny the network request if said process should not be permitted to access said network, 

141. (Previously Presented) A computer program product according to claim 130 comprising a 
package of information comprising: 

a file of data; 

a permissions database having one or more permissions associated with the file of data, the 
one or more permissions governing a client's use of the file; 

a package global unique identifier; and a receiver global unique identifier. 

142. (Previously Presented) The computer program product of claim 141 wherein the one or more 
permissions are selected ftom the group consisting of an access count permission, an access time 
permission, an expiration date permission, an authorization date permission, a clipboard permission, 
a print permission, an unlimited access permission, an application permission, and a system-events 
permission. 

1 43. (Previously Presented) The computer program product of claim 142 fiirther comprising a client 
software. 

144. (Previously Presented) A computer program product according to 130 fiirther comprising a 
device driver program for directing the system to access data, said device driver program comprising 
instructions for directing the system to : 

detect a file system request; 

complete said file system request; 

receive return information fix)m said file system request; 

determine whether said file system request is for a tag file associated with a secured file; and 
modify said return information to reflect a file attribute of the secxired file, if said file system 
request is for a tag file associated with a secured file. 
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145. (Previously Presented) The computer program product of claim 144 wherein the device driver 
program further comprises instructions for directing the system to: 

determine whether said return information identifies a plurality of tag files associated with a 
plurality of secured files; and 

modify said return information to reflect a file attribute of the plurality of secured files, if said 
return information identifies a plurality of tag files associated with a plurality of secured files. 

146. (Previously Presented) A computer program product according to claim 130 fiirther directing 
the system to: 

protect secure data by implementing a port blocking system which operates to detect a port 
request for use of a port sent by a process; 

determine an identity of said requesting process; 

determine if said process should be permitted to access said port; and allow said port request 
to be fiilfilled if said process should be permitted to access said port and deny said port request if 
said process should not be permitted to access said port. 

147. (Previously Presented) A computer program product according to claim 130 fiuiher directing 
the system to: 

protect secure data by implementing a network blocking system which operates to determine 

an identity of said requesting process; 

determine if said process should be permitted to access said network; and 

allow said network request to be fulfilled if said process should be permitted to access said 

networic and deny said network request if said process should not be permitted to access said 

network. 

148. (Currentiy Amended) A system for maintaining security during transmission of data between at 
least two computers comprising: 

a first computer having a system for creating a package associated with a vault, the package 
comprising data bundled together with one or more permissions selected from a list of available 
permissions for regulating use of the data, the one or more permissions comprising one or more 
xisage rule sets; and 
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a second computer having a system for receiving the package from the first computer, 
opening the package upon verification and storing the data in the vault, the vault being dedicated 
hard drive space whose existence and contents are invisible to a use r, wherein the existence and 
qontepts of the harcj drive space are invisible to the u ser bv an assignment of false file names and 
locations as seen bvthe user . 

149. (Original) A system according to 148 fiirther comprising internal security, wherein the internal 
security comprises a plmality of: 

detectiDg violation of said one or more permissions; 

creating a tag file corresponding to the data and mapping the tag file against the data in a 
virtual table, with the virtual table including an actual file name of the data and a corresponding tag 
name for the tag file, wherein the virtual table and the data are stored in the vault; 

identifying an anchor address corresponding to an original location for at least one of the 
vault, a driver used for reading of the package and a database storing the permissions, combining the 
addresses together to provide a key for regulating system operation and identifying when the key will 
not operate; monitoring a registry comprising: 

requesting a handle for a registry key to a calling process; 

requesting a registry key value for the handle; and 

obtaining security clearance to complete the requests; 

monitoring shared memory comprising: 

providing a call to reserve a memory page for a requesting process; 

filtering the reserve call according to whe&er the page can be shared; 

providing a call to commit the memory page for the requesting process or for a 
subsequent requesting process; and 

filtering the conunit call according to whether the page can be shared and whether the 
process can be secured; 

providing a vault system for segregating vault data &om other system data; 

providing a file system security driver which intercepts file system calls, and for each 
specific one of said intercepted file system calls, determines v\*ether said specific one of said 
intercepted file system calls is fix)m a process accessing said vault data, and, if said specific 
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one of said intercepted file system calls is from a process accessing said vault data, 
permitting the file system call to create or modify data only within said vault system; 
monitoring a system clock of a computer to prevent unauthorized access to data comprising: 
initializmg a clock monitor comprising the steps reading a first time value from the 
system clock; 

determining whether a permissions database having one or more clock-related 
permission field each field comprising one or more clock-related permissions, and a stored 
time value field comprising a stored time value, is initialized on the computer system; 

if the permissions database is initialized, comparing the first time value to the stored 
time value and, if the first time value is later than the stored time value, storing the first time 
value in the stored time value field; 

if the first time value is earlier than the stored time value, disabling the one or more 
clock-related permissions, whereby disabling the clock-related permissions prevents access 
to the data; 

if the permissions database is not initialized, storing the first time value in the stored 
time value field; 

detecting an I/O request to said first device driver; 

determining whether said first device driver is functionally uppermost in the layered 
plurality of device drivers; 

if said first device driver is fimctionally uppermost in the layered plurality of device 
drivers, performing the I/O request in said first device driver; and 

if said first device driver is not functionally uppermost in the layered plurality of 
device drivers, denying the I/O request in said first device driver, and allowing the I/O 
request to be performed by a next lower-level device driver in the layered plurality of device 
drivers; 

detecting a port request for use of a port sent by a process; 
determining the identity of said requesting process; 

determining if said process should be permitted to access said por^ allowing said port 
request to be fulfilled if said process should be permitted to access said port and denying said 
port request if said process should not be permitted to access said port; 
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detecting a port request for use of a port sent by a process; 
if said port request is an open port request, determining the identity of said requesting 
process; 

if said port request is an open port request, determining if said process should be 
permitted to open said port; 

if said port request is an open port request, aUowing said open port request to be 
fulfilled and tracking said open port request if said process should be permitted to open said 
port and denying said port request if said process should not be permitted to open said port; 

if said port request is a close port request, completing said port request; 

logging the closing of said port; 

detecting a network request for use of a network sent by a process; 

determining the identity of said requesting process; 

determining if said process should be permitted to access said network; and 

allowing said networic request to be fulfilled if said process should be permitted to 
access said network and dei^ing said network request if said process should not be permitted 
to access said network; 

detecting a file system request; completing said file system request; 

receiving return information fi:om said file system request; 

determining whether said file system request is fisr a tag file associated wife a secured 
file; and 

if so, modifying said return information to reflect a file attribute of the secured file. 
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